Blacklists probably won't keep up with phishing - they aren't working too
well so far.
Email authentication, such that the recipient of an email can be assured
that a) the sender is who they claim to be and b) they do represent the
organisation supposedly sending the email will push phishing into a niche
concept, rather than the current situation of being a strong source of fraud
and identity misuse.
While the so-called anti-phisin market is making money by being 30%
effective at preventing phishing losses, this won't happen, of course.
Just my 20 cents.
Lyal
-----Original Message-----
From: Brian Eaton [mailto:eaton.lists at gmail.com]
Sent: Wednesday, 26 July 2006 10:47 AM
To: Web Security
Subject: [WEB SECURITY] what if phishing went away?
I've been mulling over one of RSnake's recent blog entries:
http://ha.ckers.org/blog/20060724/firefox-20-anti-phishing-filter/
If browser-based antiphishing filters become widespread, will phishing stop
being profitable? Or will there be more clever phishing techniques that
evade the blacklists and the heuristics? (How long before the blacklists
get DDOSed?)
And if the browser based filters make phishing an uneconomical scam, will
that make technologies like passmark, dynamic security skins, and
transactional authentication obsolete?
It seems like blacklists have an important role to play, but they won't do
much to prevent small, targeted, phishing-style attacks. I'd like to see
improvements in web authentication UIs regardless. I could imagine a
scenario where the major phishing attacks stop being an issue because of
blacklists. At that point, a lot of the economic incentive for improving
web site authentication via other technologies would vanish.
Admittedly, a world where phishing is too minor a problem to worry about
would be a nice problem to have.
Regards,
Brian
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/http://www.webappsec.org/rss/websecurity.rss [RSS Feed]